Securing business processes using security risk-oriented patterns

• We propose a method to develop secure business processes.
• The method is based on collaboration between business and security analysts.
• We define a set of security risk-oriented patterns.
• We use the BPMN notation to present these patterns graphically.
• The proposal is tested within two industrial business models.

Business process modelling and security engineering are two important concerns when developing information system. However current practices report that security is addressed at the later development stages (i.e. design and implementation). This raises a question whether the business processes are performed securely. In this paper, we propose a method to introduce security requirements to the business processes through the collaboration between business and security analysts. To support this collaboration we present a set of security risk-oriented patterns. We test our proposal in two industrial business models. The case findings characterise pattern performance when identifying business assets, risks, and countermeasures.